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26 March 2019 
Dear Sir/ Madam, 
Consultation on Protective Orders for People at Risk of Domestic Abuse 


1. The Information Commissioner's Office (ICO) is pleased to respond to the 
Scottish Government’s consultation on Protective Orders for People at Risk of 
Domestic Abuse. 


2. The ICO has responsibility for, amongst other things, promoting and enforcing 
the EU General Data Protection Regulation (GDPR) and the UK Data Protection 
Act 2018 (DPA 2018). 


3. The ICO is independent of government and upholds information rights in the 
public interest, promoting openness by public bodies and data privacy for 
individuals. The ICO does this by providing guidance to individuals and 
organisations, solving problems where we can, and taking appropriate action 
where the law is broken. 


4. Data protection legislation protects individuals’ personal data rights. When 
personal data is lost, stolen or shared or used inappropriately it can lead to 
harm, distress and negative impacts on personal rights and freedoms. It is vital 
therefore that strong personal data protection policies and procedures are a 
central pillar in any approach to protecting victims of domestic abuse. This 
ensures that the risk of additional harms or distress to vulnerable individuals 
and families relating to inappropriate processing of personal data is minimised. 


5. Itis also important to note that suspected perpetrators also have the right to 
have their personal data rights protected. 


6. While the ICO cannot comment on policy to tackle domestic abuse we can 
support the Government and the proposed data controllers to consider the 
impact of legislative proposals on individuals data protection rights, how risks to 
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rights and freedoms can be minimised and ultimately, how data protection 
legislation can be complied with. 


We set out below some key sections of data protection legislation that the 
Scottish Government should have regard in developing these proposals. 


Consultation with the ICO 


8. 


10. 


11. 


Article 36(4) of the GDPR requires the Scottish Government to consult with the 
ICO when developing proposals for legislation to be passed by the Scottish 
Parliament, or regulatory measures based on such legislation, relating to the 
processing of personal data. This includes: 


i. primary and secondary legislation; 

ii. regulatory measures (such as regulations, directions and orders) made 
under primary or secondary legislation; 

iii. statutory codes of practice; and 

iv. statutory guidance. 


In addition Article 28(2) of the Law Enforcement Directive states that: 
“Member States shall provide for the supervisory authority [in the case of 
Scotland, the ICO] to be consulted during the preparation of a proposal for a 
legislative measure to be adopted by a national parliament or of a regulatory 
measure based on such a legislative measure, which relates to processing.” 


Although the above requirement was not transcribed into the DPA 2018 we 
recommend that, in the spirit if the Law Enforcement Directive the Scottish 
Government take the opportunity to consult with us on the development of this 
legislation. 


Any consultation with the ICO should be separate from any general public 
consultation and should be undertaken during the formative stages of the 
development of policy, to ensure that there is the opportunity to give due 
consideration to input from the ICO before the outputs are finalised. 


Privacy by Design 


12. 


Section 57 of the DPA 2018 sets out the requirement that data controllers 
implement data protection by design and default. This means considering 

privacy and data protection issues at the “time of the determination of the 
means of processing the data and at the time of the processing itself”. 


Data Protection I mpact Assessment 
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13. 


14. 


15. 


16. 


17. 


In circumstances where proposed processing is likely to result in a serious risk 
to the rights and freedoms of individuals the DPA 2018 requires the data 
controller to carry out a Data Protection Impact Assessment (Section 64, DPA, 
2018). 


The processing of personal data in relation to protective orders will result in 
significant infringements of the suspected perpetrator’s European Convention on 
Human Rights, Article 8 rights whilst the order is in force. Infringements could 
continue after the order has expired depending on record retention policies and 
who has access to information relating to the order. 


A DPIA allows for systematic consideration of the proposed processing. The 
purpose, the lawful basis, what information it is necessary to collect and 
process, the likely impact on the rights and freedoms of individuals involved, 
whether any infringements on rights are necessary and proportionate, how 
individuals can access their data protection rights and finally how risks can be 
managed and mitigated. 


Completing a DPIA will help the Scottish Government prepare a comprehensive 
impact assessment of the policy proposals and put forward a bill containing 
proposals designed to minimise risks to the rights and freedoms of individuals. 


Our recommendation therefore, is that the Scottish Government carry out a 
DPIA as part of the legislative development process. 


Question 14: views on whether there should be a statutory duty on the 
police, when making an application to the courts, or putting in place 
protective measures, to refer a person at risk to support services 


18. 


19. 


20. 


A statutory duty would provide the police with a clear legal gateway for sharing 
information with support services however it may not be necessary or 
appropriate for a referral to take place in every case indeed it may be counter- 
productive if it goes against the victims’ wishes. 


In determining how best to ensure that those that would benefit from specialist 
support receive that support the Scottish Government may wish to review 
existing referral mechanisms and provisions under the DPA 2018 or elsewhere 
to determine whether these currently provide a robust, lawful basis for 
information sharing where it is appropriate. 


If existing routes are not sufficient the Scottish Government may wish to 
consider introducing a statutory duty that could be applied on a case by case 
basis to avoid counterproductive blanket referrals. 
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21. The ICO will publish a revised data sharing code of practice in 2019 which may 
be of assistance. 


22. We trust this response is helpful and we look forward to the Scottish 
Government undertaking detailed consultation with us as its proposals develop. 
Should the Scottish Government require clarification of any of the points made, 
please contact us on 0303 123 1115 or by email at scotland@ico.org.uk. 


Yours sincerely 


Maureen H Falconer 
Regional Manager - Scotland 
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